Quick reference for building LDAP search filters.

---
title: LDAP Search Filter Cheatsheet
author: Jon LaBelle
date: January 4, 2021
source: https://jonlabelle.com/snippets/view/markdown/ldap-search-filter-cheatsheet
notoc: true
---

- [Filter operators](#filter-operators)
    - [Comparison operators](#comparison-operators)
    - [Combination operators](#combination-operators)
- [Filter basics](#filter-basics)
    - [To match a single attribute](#to-match-a-single-attribute)
    - [To match two attributes \(and\)](#to-match-two-attributes-and)
    - [To match two attributes \(or\)](#to-match-two-attributes-or)
    - [To match three attributes \(and\)](#to-match-three-attributes-and)
    - [To match three attributes \(or\)](#to-match-three-attributes-or)
    - [To perform a wildcard search](#to-perform-a-wildcard-search)
- [Sample filters](#sample-filters)
    - [Users in group](#users-in-group)
    - [Users in group \(include nested\)](#users-in-group-include-nested)
    - [Users in multiple groups](#users-in-multiple-groups)
    - [Users that must change their password at next logon](#users-that-must-change-their-password-at-next-logon)
    - [Users starting with a particular name](#users-starting-with-a-particular-name)
    - [Users by job title](#users-by-job-title)
- [Active Directory filters](#active-directory-filters)
    - [Domain and Enterprise Admins](#domain-and-enterprise-admins)
    - [All users except blocked](#all-users-except-blocked)
    - [Disabled user accounts](#disabled-user-accounts)
    - [Users with password never expires enabled](#users-with-password-never-expires-enabled)
    - [Users with empty email](#users-with-empty-email)
    - [Users in department](#users-in-department)
    - [Exclude disabled users](#exclude-disabled-users)
- [More Active Directory filters](#more-active-directory-filters)
- [References](#references)
- [Additional Resources](#additional-resources)

## Filter operators

### Comparison operators

The following comparison operators can be used in a filter:

| Operator |         Meaning          |
| -------- | ------------------------ |
| `=`      | Equality                 |
| `>=`     | Greater than or equal to |
| `<=`     | Less than or equal to    |
| `~=`     | Approximately equal to   |

For example, the following filter returns all objects with *cn* (common name) attribute value *Jon*:

    (cn=Jon)

### Combination operators

Filters can be combined using boolean operators when there are multiple search conditions

| Operator |               Description                   |
|----------|-------------------------------------------- |
| `&`      | AND --- all conditions must be met          |
| `|`      | OR --- any number of conditions can be met  |
| `!`      | NOT --- the condition must not be met       |

For example, to select objects with *cn* equal to *Jon* and *sn* (surname/last name) equal to *Brian*:

    (&(cn=Jon)(sn=Brian))

### Special Characters

The LDAP filter specification assigns special meaning to the following characters:

| Character | Hex Representation |
|-----------|--------------------|
| `*`       | `\2A`              |
| `(`       | `\28`              |
| `)`       | `\29`              |
| `\`       | `\5C`              |
| `Nul`     | `\00`              |

For example, to find all objects where the common name is `James Jim*) Smith`, the LDAP filter would be:

    (cn=James Jim\2A\29 Smith)

## objectCategory and objectClass

|    objectCategory    |             objectClass             |          Result          |
+----------------------+-------------------------------------+--------------------------+
| person               | user                                | user objects             |
| person               | n/a                                 | user and contact objects |
| person               | contact                             | contact objects          |
| user                 | user and computer objects           | n/a                      |
| computer             | n/a                                 | computer objects         |
| user                 | n/a                                 | user and contact objects |
| contact              | contact objects                     | n/a                      |
| computer             | computer objects                    | n/a                      |
| person               | user, computer, and contact objects | n/a                      |
| contact              | n/a                                 | user and contact objects |
| group                | n/a                                 | group objects            |
| n/a                  | group                               | n/a                      |
| person               | organizationalPerson                | user and contact objects |
| organizationalPerson | user, computer, and contact objects | n/a                      |
| organizationalPerson | n/a                                 | user and contact objects |

> Use the filter that makes your intent most clear. Also, if you have a choice
> between using *objectCategory* and *objectClass*, it is recommended that you use
> *objectCategory*. That is because *objectCategory* is both single valued and
> indexed, while *objectClass* is multi-valued and not indexed (except on Windows
> Server 2008 and above). A query using a filter with *objectCategory* will be
> more efficient than a similar filter with *objectClass*. Windows Server 2008
> domain controllers (and above) have a special behavior that indexes the
> *objectClass* attribute. You can take advantage of this if all of your domain
> controllers are Windows Server 2008, or if you specify a Windows Server 2008
> domain controller in your query. --- [Source](https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx?Sort=MostRecent)

## Filter basics

### To match a single attribute

    (sAMAccountName=<SomeAccountName>)

### To match two attributes (and)

    (&(objectClass=<person>)(objectClass=<user>))

### To match two attributes (or)

    (|(objectClass=<person>)(objectClass=<user>))

### To match three attributes (and)

    (&(objectClass=<user>)(objectClass=<top>)(objectClass=<person>))

### To match three attributes (or)

    (!(objectClass=<user>)(objectClass=<top>)(objectClass=<person>))

### To perform a wildcard search

    (&(objectClass=<user>)(cn=<*Marketing*>))

## Sample filters

### Users in group

To retrieve user account names (`sAMAccountName`) that are a member of a particular group (`SomeGroupName`):

    (&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=<SomeGroupName>,ou=<users>,dc=<company>,dc=<com>))

### Users in group (include nested)

To retrieve user account names (`sAMAccountName`), and nested user account names that are a member of a particular group (`SomeGroupName`):

    (&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=<SomeGroupName>,ou=users,dc=company,dc=com))

### Users in multiple groups

To retrieve user account names (`sAMAccountName`) that are a member of any, or all the 4 groups (`fire`, `wind`, `water`, `heart`):

    (&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=cn=<fire>,ou=<users>,dc=<company>,dc=<com>)(memberOf=cn=<wind>,ou=<users>,dc=<company>,dc=<com>)(memberOf=cn=<water>,ou=<users>,dc=<company>,dc=<com>)(memberOf=cn=<heart>,ou=<users>,dc=<company>,dc=<com>)))

### Users that must change their password at next logon

To search Active Directory for users that must change their password at next logon:

    (objectCategory=person)(objectClass=user)(pwdLastSet=0)(!userAccountControl:1.2.840.113556.1.4.803:=2)

### Users starting with a particular name

To search *user* objects that start with Common Name *Brian* (`cn=Brian*`):

    (&(objectClass=user)(cn=<Brian*>))

### Users by job title

To find all users with a job title starting with *Manager* (`Title=Manager*`):

    (&(objectCategory=person)(objectClass=user)(Title=<Manager*>))

## Active Directory filters

Search filters supported only by Microsoft Active Directory.

### Domain and Enterprise Admins

To search for administrators in groups Domain Admins, Enterprise Admins:

    (objectClass=user)(objectCategory=Person)(adminCount=1)

### All users except blocked

To search all users except for blocked ones:

    (objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)

### Disabled user accounts

To list only disabled user accounts:

    (objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=16)

### Users with password never expires enabled

    (objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)

### Users with empty email

    (objectCategory=person)(!mail=*)

### Users in department

To search users in a particular department:

    (&(objectCategory=person)(objectClass=user)(department=<Sales>))

### Exclude disabled users

To find as user (`sAMAccountName=<username>`) that isn't disabled:

    (&(objectCategory=person)
    (objectClass=user)
    (sAMAccountType=805306368)
    (!(userAccountControl:1.2.840.113556.1.4.803:=2))
    (sAMAccountName=<username>))

- The filter `(sAMAccountType=805306368)` on user objects is more efficient, but is harder to remember. \([Source](https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx?Sort=MostRecent)\)
- The filter `(!(UserAccountControl:1.2.840.113556.1.4.803:=2))` excludes disabled user objects. \([Source](https://community.atlassian.com/t5/Jira-questions/Ignoring-disabled-users-in-LDAP-Active-Directory/qaq-p/451709)\)

## More Active Directory filters

The following filters are from [Active Directory: LDAP Syntax Filters](https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx?Sort=MostRecent)

+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
|                                   Query                                    |                                           LDAP Filter                                            |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All user objects                                                           | (&(objectCategory=person)                                                                        |
|                                                                            |                                                                                                  |
|                                                                            | (objectClass=user))                                                                              |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All user objects                                                           | (sAMAccountType=805306368)                                                                       |
|                                                                            |                                                                                                  |
| (Note 1)                                                                   |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All computer objects                                                       | (objectCategory=computer)                                                                        |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All contact objects                                                        | (objectClass=contact)                                                                            |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All group objects                                                          | (objectCategory=group)                                                                           |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All organizational unit objects                                            | (objectCategory=organizationalUnit)                                                              |
|                                                                            |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All container objects                                                      | (objectCategory=container)                                                                       |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All builtin container objects                                              | (objectCategory=builtinDomain)                                                                   |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All domain objects                                                         | (objectCategory=domain)                                                                          |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Computer objects with no                                                   | (&(objectCategory=computer)                                                                      |
| description                                                                |                                                                                                  |
|                                                                            | (!(description=\*)))                                                                             |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Group objects with a description                                           | (&(objectCategory=group)                                                                         |
|                                                                            |                                                                                                  |
|                                                                            | (description=\*))                                                                                |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Users with cn starting with                                                | (&(objectCategory=person)                                                                        |
| \"Joe\"                                                                    |                                                                                                  |
|                                                                            | (objectClass=user)                                                                               |
|                                                                            |                                                                                                  |
|                                                                            | (cn=Joe\*))                                                                                      |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Object with description                                                    | (description=East\\5CWest Sales)                                                                 |
| \"East\\West Sales\"                                                       |                                                                                                  |
|                                                                            |                                                                                                  |
| (Note 2)                                                                   |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Phone numbers in form (xxx)                                                | (telephoneNumber=(\*)\*-\*)                                                                      |
| xxx-xxx                                                                    |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Groups with cn starting with                                               | (&(objectCategory=group)                                                                         |
| \"Test\" or \"Admin\"                                                      |                                                                                                  |
|                                                                            | ((cn=Test\*)                                                                                     |
|                                                                            |                                                                                                  |
|                                                                            | (cn=Admin\*)))                                                                                   |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All users with both a first and                                            | (&(objectCategory=person)                                                                        |
| last name.                                                                 |                                                                                                  |
|                                                                            | (objectClass=user)                                                                               |
|                                                                            |                                                                                                  |
|                                                                            | (givenName=\*)                                                                                   |
|                                                                            |                                                                                                  |
|                                                                            | (sn=\*))                                                                                         |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All users with direct reports but                                          | (&(objectCategory=person)                                                                        |
| no manager                                                                 |                                                                                                  |
|                                                                            | (objectClass=user)                                                                               |
|                                                                            |                                                                                                  |
|                                                                            | (directReports=\*)                                                                               |
|                                                                            |                                                                                                  |
|                                                                            | (!(manager=\*)))                                                                                 |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All users with specified email                                             | (&(objectCategory=person)                                                                        |
| address                                                                    |                                                                                                  |
|                                                                            | (objectClass=user)                                                                               |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All users with Logon Script field                                          | (&(objectCategory=person)                                                                        |
| occupied                                                                   |                                                                                                  |
|                                                                            | (objectClass=user)                                                                               |
|                                                                            |                                                                                                  |
|                                                                            | (scriptPath=\*))                                                                                 |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Object with Common Name \"Jim \*                                           | (cn=Jim \\2A Smith)                                                                              |
| Smith\"                                                                    |                                                                                                  |
|                                                                            |                                                                                                  |
| (Notes 3, 19)                                                              |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Objects with sAMAccountName that                                           | (sAMAccountName>=x)                                                                              |
| begins with \"x\", \"y\", or                                               |                                                                                                  |
| \"z\"                                                                      |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Objects with sAMAccountName that                                           | (&(sAMAccountName<=a)                                                                            |
| begins with \"a\" or any number                                            |                                                                                                  |
| or symbol except \"$\"                                                     | (!(sAMAccountName=$\*)))                                                                         |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All users with \"Password Never                                            | (&(objectCategory=person)                                                                        |
| Expires\" set                                                              |                                                                                                  |
|                                                                            | (objectClass=user)                                                                               |
| (Note 4)                                                                   |                                                                                                  |
|                                                                            | (userAccountControl:1.2.840.113556.1.4.803:=65536))                                              |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All disabled user objects                                                  | (&(objectCategory=person)                                                                        |
|                                                                            |                                                                                                  |
| (Note 4)                                                                   | (objectClass=user)                                                                               |
|                                                                            |                                                                                                  |
|                                                                            | (userAccountControl:1.2.840.113556.1.4.803:=2))                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All enabled user objects                                                   | (&(objectCategory=person)                                                                        |
|                                                                            |                                                                                                  |
|                                                                            | (objectClass=user)                                                                               |
|                                                                            |                                                                                                  |
| (Note 4)                                                                   | (!(userAccountControl:1.2.840.113556.1.4.803:=2)))                                               |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All users not required to have a                                           | (&(objectCategory=person)                                                                        |
| password                                                                   |                                                                                                  |
|                                                                            | (objectClass=user)                                                                               |
|                                                                            |                                                                                                  |
| (Note 4)                                                                   | (userAccountControl:1.2.840.113556.1.4.803:=32))                                                 |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All users with \"Do not require                                            | (&(objectCategory=person)                                                                        |
| kerberos preauthentication\"                                               |                                                                                                  |
| enabled                                                                    | (objectClass=user)                                                                               |
|                                                                            |                                                                                                  |
|                                                                            | (userAccountControl:1.2.840.113556.1.4.803:=4194304))                                            |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Users with accounts that do not                                            | (&(objectCategory=person)                                                                        |
| expire                                                                     |                                                                                                  |
|                                                                            | (objectClass=user)                                                                               |
| (Note 5)                                                                   |                                                                                                  |
|                                                                            | (\(accountExpires=0\)                                                                            |
|                                                                            |                                                                                                  |
|                                                                            | (accountExpires=9223372036854775807)))                                                           |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Users with accounts that do                                                | (&(objectCategory=person)                                                                        |
| expire                                                                     |                                                                                                  |
|                                                                            | (objectClass=user)                                                                               |
| (Note 5)                                                                   |                                                                                                  |
|                                                                            | (accountExpires>=1)                                                                              |
|                                                                            |                                                                                                  |
|                                                                            | (accountExpires<=9223372036854775806))                                                           |
|                                                                            |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Accounts trusted for delegation (unconstrained delegation)                 | (userAccountControl:1.2.840.113556.1.4.803:=524288)                                              |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Accounts that are sensitive and                                            | (userAccountControl:1.2.840.113556.1.4.803:=1048576)                                             |
| not trusted for delegation                                                 |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All distribution groups                                                    | (&(objectCategory=group)                                                                         |
|                                                                            |                                                                                                  |
| (Notes 4, 15)                                                              | (!(groupType:1.2.840.113556.1.4.803:=2147483648)))                                               |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All security groups                                                        | (groupType:1.2.840.113556.1.4.803:=2147483648)                                                   |
|                                                                            |                                                                                                  |
| (Notes 4, 19)                                                              |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All built-in groups                                                        | (groupType:1.2.840.113556.1.4.803:=1)                                                            |
|                                                                            |                                                                                                  |
| (Notes 4, 16, 19)                                                          |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All global groups                                                          | (groupType:1.2.840.113556.1.4.803:=2)                                                            |
|                                                                            |                                                                                                  |
| (Notes 4, 19)                                                              |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All domain local groups                                                    | (groupType:1.2.840.113556.1.4.803:=4)                                                            |
|                                                                            |                                                                                                  |
| (Notes 4, 19)                                                              |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All universal groups                                                       | (groupType:1.2.840.113556.1.4.803:=8)                                                            |
|                                                                            |                                                                                                  |
| (Notes 4, 19)                                                              |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All global security groups                                                 | (groupType=-2147483646)                                                                          |
|                                                                            |                                                                                                  |
| (Notes 17, 19)                                                             |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All universal security groups                                              | (groupType=-2147483640)                                                                          |
|                                                                            |                                                                                                  |
| (Notes 17, 19)                                                             |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All domain local security groups                                           | (groupType=-2147483644)                                                                          |
|                                                                            |                                                                                                  |
| (Notes 17, 19)                                                             |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All global distribution groups                                             | (groupType=2)                                                                                    |
|                                                                            |                                                                                                  |
| (Note 19)                                                                  |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All objects with service                                                   | (servicePrincipalName=\*)                                                                        |
| principal name                                                             |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Users with \"Allow Access\" on                                             | (&(objectCategory=person)                                                                        |
| \"Dial-in\" tab of ADUC                                                    |                                                                                                  |
|                                                                            | (objectClass=user)                                                                               |
| (Note 6)                                                                   |                                                                                                  |
|                                                                            | (msNPAllowDialin=TRUE))                                                                          |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Users with \"Control access                                                | (&(objectCategory=person)                                                                        |
| though NPS Network Policy\" on                                             |                                                                                                  |
| \"Dial-in\" tab of ADUC                                                    | (objectClass=user)                                                                               |
|                                                                            |                                                                                                  |
|                                                                            | (!(msNPAllowDialin=\*)))                                                                         |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All groups created after March 1,                                          | (&(objectCategory=group)                                                                         |
| 2011                                                                       |                                                                                                  |
|                                                                            | (                                                                                                |
|                                                                            | whenCreated>=20110301000000.0Z))                                                                 |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All users where an administrator                                           | (&(objectCategory=person)                                                                        |
| has set that they must change                                              |                                                                                                  |
| their password at next logon                                               | (objectClass=user)                                                                               |
|                                                                            |                                                                                                  |
|                                                                            | (pwdLastSet=0))                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All users that changed their                                               | (&(objectCategory=person)                                                                        |
| password since April 15, 2011                                              |                                                                                                  |
| (CST)                                                                      | (objectClass=user)                                                                               |
|                                                                            |                                                                                                  |
| (Note 7)                                                                   | (pwdLastSet>=129473172000000000))                                                                |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All users with \"primary\" group                                           | (&(objectCategory=person)                                                                        |
| other than \"Domain Users\"                                                |                                                                                                  |
|                                                                            | (objectClass=user)                                                                               |
|                                                                            |                                                                                                  |
|                                                                            | (!(primaryGroupID=513)))                                                                         |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All computers with \"primary\"                                             | (&(objectCategory=computer)                                                                      |
| group \"Domain Computers\"                                                 |                                                                                                  |
|                                                                            | (primaryGroupID=515))                                                                            |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Object with GUID "90395F191AB51B4A9E9686C66CB18D11"                        | (objectGUID=\90\39\5F\19\1A\B5\1B\4A\9E\96 \86\C6\6C\B1\8D\11)                                   |
|                                                                            |                                                                                                  |
| (Note 8)                                                                   |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Object beginning with GUID "90395F191AB51B4A"                              | (objectGUID=\90\39\5F\19\1A\B5\1B\4A\*)                                                          |
|                                                                            |                                                                                                  |
| (Note 8)                                                                   |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Object with SID "S-1-5-21-73586283-152049171-839522115-1111"               | (objectSID=S-1-5-21-73586283-152049171-839522115-1111)                                           |
|                                                                            |                                                                                                  |
| (Note 9)                                                                   |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Object with SID "0105000000000005150000006BD662041316100943170A3257040000" | (objectSID=\01\05\00\00\00\00\00\05\15\00\00\00\6B\D6\62\04\13\16\10\09\43\17\0A\32\57\04\00\00) |
|                                                                            |                                                                                                  |
| (Note 9)                                                                   |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All computers that are not Domain                                          | (&(objectCategory=computer)                                                                      |
| Controllers                                                                |                                                                                                  |
|                                                                            | (!(userAccountControl:1.2.840.113556.1.4.803:=8192)))                                            |
| (Note 4)                                                                   |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All Domain Controllers                                                     | (&(objectCategory=computer)                                                                      |
|                                                                            |                                                                                                  |
| (Note 4)                                                                   | (userAccountControl:1.2.840.113556.1.4.803:=8192))                                               |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All Domain Controllers                                                     | (primaryGroupID=516)                                                                             |
|                                                                            |                                                                                                  |
| (Notes 14, 19)                                                             |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All servers                                                                | (&(objectCategory=computer)                                                                      |
|                                                                            |                                                                                                  |
|                                                                            | (operatingSystem=\*server\*))                                                                    |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All member servers (not DC\'s)                                             | (&(objectCategory=computer)                                                                      |
|                                                                            |                                                                                                  |
| (Note 4)                                                                   | (operatingSystem=\*server\*)                                                                     |
|                                                                            |                                                                                                  |
|                                                                            | (!(userAccountControl:1.2.840.113556.1.4.803:=8192)))                                            |
|                                                                            |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All direct members of specified group                                      | (memberOf=cn=Test,ou=East,dc=Domain,dc=com)                                                      |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All users not direct members of a specified group                          | (&(objectCategory=person)                                                                        |
|                                                                            |                                                                                                  |
|                                                                            | (objectClass=user)                                                                               |
|                                                                            |                                                                                                  |
|                                                                            | (!(memberOf=cn=Test,ou=East,dc=Domain,dc=com)))                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All groups with specified direct member                                    | (member=cn=Jim Smith,ou=West,dc=Domain,dc=com)                                                   |
|                                                                            |                                                                                                  |
| (Note 19)                                                                  |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All members of specified group, including due to group nesting             | (memberOf:1.2.840.113556.1.4.1941:=cn=Test,ou=East,dc=Domain,dc=com)                             |
|                                                                            |                                                                                                  |
| (Note 10)                                                                  |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All groups specified user belongs to, including due to group nesting       | (member:1.2.840.113556.1.4.1941:=cn=JimSmith,ou=West,dc=Domain,dc=com)                           |
|                                                                            |                                                                                                  |
| (Notes 10, 19)                                                             |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Objects with givenName `Jim*` and sn `Smith*`, or with cn `Jim Smith*`     | (anr=Jim Smith)                                                                                  |
|                                                                            |                                                                                                  |
| (Note 11)                                                                  |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All attributes in the Schema                                               | (&(objectCategory=attributeSchema)                                                               |
| container replicated to the GC                                             |                                                                                                  |
|                                                                            |                                                                                                  |
| (Notes 6, 12)                                                              | (isMemberOfPartialAttributeSet=TRUE))                                                            |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All operational (constructed)                                              | (&(objectCategory=attributeSchema)                                                               |
| attributes in the Schema                                                   |                                                                                                  |
| container                                                                  |                                                                                                  |
|                                                                            | (systemFlags:1.2.840.113556.1.4.803:=4))                                                         |
| (Notes 4, 12)                                                              |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All attributes in the Schema                                               | (&(objectCategory=attributeSchema)                                                               |
| container not replicated to other                                          |                                                                                                  |
| Domain Controllers                                                         |                                                                                                  |
|                                                                            | (systemFlags:1.2.840.113556.1.4.803:=1))                                                         |
| (Notes 4, 12)                                                              |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All objects where deletion is not                                          | (systemFlags:1.2.840.113556.1.4.803:=2147483648)                                                 |
| allowed                                                                    |                                                                                                  |
|                                                                            |                                                                                                  |
| (Notes 4)                                                                  |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Attributes whose values are                                                | (searchFlags:1.2.840.113556.1.4.803:=16)                                                         |
| copied when the object is copied                                           |                                                                                                  |
|                                                                            |                                                                                                  |
| (Notes 4, 12)                                                              |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Attributes preserved in tombstone                                          | (searchFlags:1.2.840.113556.1.4.803:=8)                                                          |
| object when object deleted                                                 |                                                                                                  |
|                                                                            |                                                                                                  |
| (Notes 4, 12)                                                              |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Attributes in the Ambiguous Name                                           | (searchFlags:1.2.840.113556.1.4.803:=4)                                                          |
| Resolution (ANR) set                                                       |                                                                                                  |
|                                                                            |                                                                                                  |
| (Notes 4, 12)                                                              |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Attributes in the Schema that are                                          | (searchFlags:1.2.840.113556.1.4.803:=1)                                                          |
| indexed                                                                    |                                                                                                  |
|                                                                            |                                                                                                  |
| (Notes 4, 12)                                                              |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Attributes marked confidential in                                          | (searchFlags:1.2.840.113556.1.4.803:=128)                                                        |
| the schema                                                                 |                                                                                                  |
|                                                                            |                                                                                                  |
| (Notes 4, 12)                                                              |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| Attributes in the RODC filtered                                            | (searchFlags:1.2.840.113556.1.4.803:=512)                                                        |
| attribute set, or FAS                                                      |                                                                                                  |
|                                                                            |                                                                                                  |
| (Notes 4, 12)                                                              |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All inter-site connection objects                                          | (objectClass=siteLink)                                                                           |
| in the Configuration container                                             |                                                                                                  |
|                                                                            |                                                                                                  |
| (Note 13)                                                                  |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All intra-site connection objects                                          | (objectClass=nTDSConnection)                                                                     |
| in the Configuration container                                             |                                                                                                  |
|                                                                            |                                                                                                  |
| (Note 13)                                                                  |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| The nTDSDSA objects associated                                             | (&(objectCategory=nTDSDSA)                                                                       |
| with all Global Catalogs. This                                             |                                                                                                  |
| will identify all DC\'s that are                                           | (options:1.2.840.113556.1.4.803:=1))                                                             |
| GC\'s.                                                                     |                                                                                                  |
|                                                                            |                                                                                                  |
| (Note 4)                                                                   |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| The nTDSDSA object associated                                              | (&(objectClass=domainDNS)                                                                        |
| with the PDC Emulator. This will                                           |                                                                                                  |
| identify the DC with the PDC                                               | (fSMORoleOwner=\*))                                                                              |
| Emulator FSMO role.                                                        |                                                                                                  |
|                                                                            |                                                                                                  |
| (Note 18)                                                                  |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| The nTDSDSA object associated                                              | (&(objectClass=rIDManager)                                                                       |
| with the RID Master. This will                                             |                                                                                                  |
| identify the DC with the RID                                               | (fSMORoleOwner=\*))                                                                              |
| Master FSMO role                                                           |                                                                                                  |
|                                                                            |                                                                                                  |
| (Note 18)                                                                  |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| The nTDSDSA object associated                                              | (&(objectClass=infrastructureUpdate)                                                             |
| with the Infrastructure Master.                                            |                                                                                                  |
| This will identify the DC with                                             |                                                                                                  |
| this FSMO role.                                                            | (fSMORoleOwner=\*))                                                                              |
|                                                                            |                                                                                                  |
| (Note 18)                                                                  |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| The nTDSDSA object associated                                              | (&(objectClass=dMD)                                                                              |
| with the Schema Master. This will                                          |                                                                                                  |
| identify the DC with the Schema                                            | (fSMORoleOwner=\*))                                                                              |
| Master FSMO role.                                                          |                                                                                                  |
|                                                                            |                                                                                                  |
| (Note 18)                                                                  |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| The nTDSDSA object associated                                              | (&(objectClass=crossRefContainer)                                                                |
| with the Domain Naming Master.                                             |                                                                                                  |
| This will identify the DC with                                             | (fSMORoleOwner=\*))                                                                              |
| this FSMO role.                                                            |                                                                                                  |
|                                                                            |                                                                                                  |
| (Note 18)                                                                  |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All Exchange servers in the                                                | (objectCategory=msExchExchangeServer)                                                            |
| Configuration container                                                    |                                                                                                  |
|                                                                            |                                                                                                  |
| (Note 13)                                                                  |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All objects protected by                                                   | (adminCount=1)                                                                                   |
| AdminSDHolder                                                              |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All trusts established with a domain                                       | (objectClass=trustedDomain)                                                                      |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All Group Policy objects                                                   | (objectCategory=groupPolicyContainer)                                                            |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All service connection point objects                                       | (objectClass=serviceConnectionPoint)                                                             |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+
| All Read-Only Domain Controllers                                           | (userAccountControl:1.2.840.113556.1.4.803:=67108864)                                            |
|                                                                            |                                                                                                  |
| (Notes 4, 19)                                                              |                                                                                                  |
+----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+

1.  The filter (sAMAccountType=805306368) for user objects is more efficient
    than the more usual filter, but is harder to remember.
2.  The backslash character must be escaped in LDAP filters. Substitute \\5C.
3.  The asterisk character must be escaped in LDAP filters. Substitute \\2A.
4.  The string 1.2.840.113556.1.4.803 specifies LDAP_MATCHING_RULE_BIT_AND. This
    specifies a bitwise AND of a flag attribute (an integer), like
    userAccountControl, groupType, or systemFlags, and a bit mask (like 2, 32,
    or 65536). The clause is True if the bitwise AND of the attribute value and
    the bit mask is non-zero, indicating the bit is set.
5.  The accountExpires attribute is Integer8, a large 64-bit integer
    representing a date (in UTC) as the number of 100-nanosecond intervals since
    12:00 AM January 1, 1601. If an account does not expire, then accountExpires
    is either 0 or 2\^63-1 (9,223,372,036,854,775,807 the largest 64-bit integer
    allowed), both of which mean never.
6.  To filter on Boolean Active Directory attributes, like msNPAllowDialin or
    isMemberOfPartialAttributeSet, make sure the values TRUE or FALSE are all
    uppercase in the clause. This is the only time comparisons are case
    sensitive.
7.  The pwdLastSet attribute is Integer8.
8.  Byte arrays, like the objectGUID attribute, can be represented as a series
    of escaped hexadecimal bytes. The GUID
    {b95f3990-b59a-4a1b-9e96-86c66cb18d99} is equivalent to the hex
    representation \"90395fb99ab51b4a9e9686c66cb18d99\". Notice how the order of
    the first 8 bytes is reversed in groups. You specify the escaped hex bytes.
    You cannot specify the form in curly braces in a filter.
9.  The objectSID attribute is saved in Active Directory as a byte array. You
    can either specify the decimal display format
    S-1-5-21-73586283-152049171-839522115-1111 or the equivalent hex
    representation where each byte is escaped
    \"\\01\\05\\00\\00\\00\\00\\00\\05\\15\\00\\00\\00\\6B\\D6\\62\\04\\13\\16\\10\\09\\43\\17\\0A\\32\\57\\04\\00\\00\".
    The later might be easier in VBScript.
10. The string 1.2.840.113556.1.4.1941 specifies LDAP_MATCHING_RULE_IN_CHAIN.
    This applies only to DN attributes. This is an extended match operator that
    walks the chain of ancestry in objects all the way to the root until it
    finds a match. This reveals group nesting. It is available only on domain
    controllers with Windows Server 2003 SP2 or Windows Server 2008 (or above).
11. The string \"anr\" is an acronym for \"Ambiguous Name Resolution\". See the
    link below for complete explanation.
12. To query for attributes in the
    [Schema](https://social.technet.microsoft.com/wiki/contents/articles/16757.active-directory-glossary.aspx#Schema),
    the base of the query must be the Schema container, such as
    cn=Schema,cn=Configuration,dc=MyDomain,dc=com.
13. To query for objects in
    the [Configuration container](https://social.technet.microsoft.com/wiki/contents/articles/16757.active-directory-glossary.aspx#Configuration_Container)
    the base of the query must be the Configuration container, such as
    cn=Configuration,dc=MyDomain,dc=com.
14. The \"primary\" group for all Domain Controllers should be the group
    \"Domain Controllers\", which has the well-known RID 516.
15. Many LDAP filters for various types of Active Directory groups can use the
    groupType attribute and skip the usual (objectCategory=group) clause. This
    is because only group objects can have the groupType attribute. For example,
    the filter (groupType=2) will retrieve all global distribution groups.
    However, if the filter uses the \"Not\" operator, such as
    (!(groupType:1.2.840.113556.1.4.803:=2147483648)) for all distribution
    groups (groups that are not security groups), you will also retrieve all
    objects that do not have the groupType attribute. In this case you must
    \"And\" this clause with the (objectCategory=group) clause.
16. You might expect the LDAP filter for built-in security groups to be
    (groupType=2147483649) or (groupType=-2147483643). This is because the
    bit-wise \"Or\" of 2,147,483,648 (the bit mask for security groups) and 1
    (the bit mask for built-in groups) would result in these values. However,
    this returns no results. The reason is that the built-in groups in Active
    Directory are also domain local. You need to account for this by Or\'ing
    these values with 4, the bit mask for domain local groups. The result is
    (2,147,483,643 Or 1 Or 4) = 2,147,483,653, which after subtracting 2\^32
    (see Note 17) becomes -2,147,483,643. You can use either
    (groupType=2147483653) or (groupType=-2147483643) to retrieve all built-in
    domain local security groups. However, it probably makes more sense to just
    filter on all built-in groups with (groupType:1.2.840.113556.1.4.803:=1).
17. The userAccountControl and groupType attributes in Active Directory are
    32-bit integers. This means the values can range from -2\^31 to 2\^31 - 1,
    or -2,147,483,648 to 2,147,483,647 (the commas are shown here for
    readability, but are not allowed in filters). The values assigned to these
    attributes will be the result of a bit-wise \"Or\" of the appropriate bit
    mask for each setting. For example, the value assigned to the groupType
    attribute of a universal security group will be the \"Or\" of the bit mask
    for a universal group, which is 8, and the bit mask for a security group,
    which is 2,147,483,648. The result of (8 Or 2,147,483,648) is 2,147,483,656.
    Technically this value is not possible as it exceeds the maximum allowed for
    a 32-bit  integer. Instead, the system \"wraps\" the value into a negative
    number. The value 2,147,483,656 becomes -2,147,483,640. The rule is that if
    the value of a 32-bit integer is larger than 2\^31 -1, subtract 2\^32 (which
    is 4,294,967,296). The value of the groupType attribute for a universal
    security group becomes 2,147,967,296 - 4,294,967,296 = -2,147,483,640. This
    is the value your will see in Active Directory using ADSI Edit. Most
    utilities, scripts, and programs that accept LDAP syntax filters will work
    correctly with either value. However, in case the utility can only handle
    32-bit integers it would be safest to use the negative number. Also, the
    VBScript bit-wise operators (And, Or, Xor, Not) can only handle 32-bit
    integers.
18. There are
    five [FSMO](https://social.technet.microsoft.com/wiki/contents/articles/16757.active-directory-glossary.aspx#FSMO)
    roles. For the
    [PDC Emulator](https://social.technet.microsoft.com/wiki/contents/articles/16757.active-directory-glossary.aspx#PDC_Emulator),
    [RID Master](https://social.technet.microsoft.com/wiki/contents/articles/16757.active-directory-glossary.aspx#RID_Master),
    and [Infrastructure Master](https://social.technet.microsoft.com/wiki/contents/articles/16757.active-directory-glossary.aspx#Infrastructure_Master)
    roles the base of the query should be the domain. There is one of these FSMO
    roles for each domain. There is
    one [Schema Master](https://social.technet.microsoft.com/wiki/contents/articles/16757.active-directory-glossary.aspx#Schema_Master)
    and
    one [Domain Naming Master](https://social.technet.microsoft.com/wiki/contents/articles/16757.active-directory-glossary.aspx#Domain_Naming_Master)
    role for the forest. The base of the query to search for the Schema Master
    role should be the schema container, such as
    cn=Schema,cn=Configuration,dc=MyDomain,dc=com. The base of the query for the
    Domain Naming Master role should be the Configuration container, such as
    cn=Configuration,dc=MyDomain,dc=com. In all cases, the query will retrieve a
    nTDSDSA object. The parent of this object will have
    a [Relative Distinguished Name](https://social.technet.microsoft.com/wiki/contents/articles/16757.active-directory-glossary.aspx#Relative_Distinguished_Name)
    identical to that of the corresponding DC. This parent object has a
    dnsHostName attribute whose value is the DNS name of the DC with the FSMO
    role.
19. Many times you can take advantage of the fact that only one class of object
    in Active Directory has a particular attribute. For example, only group
    objects have the groupType and member attributes. This allows you to filter
    on groupType with a clause like (groupType=2) without using a second clause
    restricting the query to group objects, like (objectCategory=group).
    However, if your query only has the one filter, it will be checked against
    all objects in Active Directory. It turns out that if you also use the
    second clause (to restrict the query to groups), it runs faster. The results
    will be the same, and in most cases the time difference doesn\'t matter
    much, but a filter like (&(objectCategory=group) (member=cn=Jim
    Smith,ou=West,dc=MyDomain,dc=com)) is much faster than simply (member=cn=Jim
    Smith,ou=West,dc=MyDomain,dc=com).
20. According to RFC 2254, the NOT operator, \"!\", should operate on a clause
    in parentheses (similar to the operators \| and &). Although a clause
    similar to (!cn=\*Smith) works in almost all cases, it would be more correct
    to use (!(cn=\*Smith)). The first form works in VBScript, PowerShell V1,
    using the -LDAPFilter parameter with the PowerShell AD modules, in dsquery
    \*, and with Joe Richards\' adfind utility. However, cases have been
    reported where it raises an error.

## References

- [Atlassian Support: How to write LDAP search filters](https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html)
- [TheITBros.com: Active Directory LDAP Query Examples](https://theitbros.com/ldap-query-examples-active-directory/)
- [Active Directory: LDAP Syntax Filters](https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx)

## Additional Resources

- [Active Directory Glossary](https://social.technet.microsoft.com/wiki/contents/articles/16757.active-directory-glossary.aspx) - This is a glossary of terms and acronyms used in Active Directory and related technologies.
- [Microsoft Docs: Active Directory Schema (AD Schema) Definitions](https://docs.microsoft.com/en-us/windows/win32/adschema/active-directory-schema) - Formal definitions of every attribute that can exist in an Active Directory object.